• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New Windows zero-day exploited in the wild
March 24, 2020
Rewterz Threat Alert – HawkEye Keylogger uses COVID19 Advice from WHO
March 24, 2020

Rewterz Threat Alert – Icnanker, a Linux Trojan-Downloader

March 24, 2020

Severity

High

Analysis Summary

An unknown ELF sample was found generating Elknot botnet related network traffic. It was found to be a Trojan-Downloader which utilizes “SHC (Shell script compiler)” technique and propagates through weak SSH credentials. The author appeared to be an old player Icnanker who leaves his QQ number and name in his codes. Icnanker is the first Linux malware family we observed that uses SHC. Icnanker is divided into 2 categories according to their functions:

  • Downloader

Downloader is mainly used to facilitate DDos and Mining attacks. Currently its samples include Elknot Botnet, Xor Botnet and XMRMiner. On Icnanker-related HFS servers, we can see that the current download volume is at 20,114, and about 500 increment per day.

  • Protector

Protector is used to protect samples from being deleted. It is currently used to protect Mining service.

Icnanker comes with the following capabilities.

  • Download and execute specific samples
  • Add new users
  • Delete system command
  • Hide itself
  • Persistence

Impact

  • Code execution
  • Data manipulation
  • Detection Evasion
  • DDoS
  • Mining

Indicators of Compromise

Hostname

  • ubt[.]ubtv[.]xyz
  • sys[.]jave[.]xyz
  • jav[.]jave[.]xyz
  • 8uch[.]jave[.]xyz
  • 8uc1[.]jave[.]xyz
  • xz[.]jave[.]xyz
  • 8uc2[.]ubtv[.]xyz

MD5

  • 4a3e1ff8cfc0d334550b815b6d82d89e
  • 765a0899cb87400e8a27ab572f3cdd61
  • 5c90bfbae5c030da91c9054ecb3194b6
  • 187fa428ed44f006df0c8232be4a6e4e
  • 89cd1ebfa5757dca1286fd925e0762de
  • 5790dedae465994d179c63782e51bac1
  • d989e81c4eb23c1e701024ed26f55849
  • 0764da93868218d6ae999ed7bd66a98e
  • eec19f1639871b6e6356e7ee05db8a94
  • 6abe83ee8481b5ce0894d837eabb41df

SHA-256

  • 6aba3638f630ca61563ad33503d039db4082c389a270263d34bebefe68a31287
  • 400bac87f1303e6ed8b85b009454d8b6cd12fe38337119e03a4c7d0cdb130577
  • 741c09277639628acaed49e07ed1f17dea12d613336ff3145c8b224bab033215
  • 99a5875ce98349a17224569db4fd86fab9277bca1462744bd3b0ae227ee96e8a
  • eebd1648a3d603a26f4c9de11f1ac68e110573388d22a5a65b9daf50116bc5c5
  • 2c311b145c1c8e41cf72db978b554f82534a5e3ec6cce5a29d5988d57dbe5fb1
  • 4da20ce9dbac55cdddb3497153cf04062347be20a541e8096b42b6094340b5e1
  • cf144edc695e4cd84189e4e7230b5cfa7a0a5fb1a15aa397ec8ba085446e245a
  • aec62371dbc7e7338c99b0cbc5f09f037d4ebacbfcfad9e844ba71f5053a4d23
  • 398b8988661a37761c490bb85c7454bd20f6469b821cbf6d97751348d7cf30c5

URL

  • http[:]//xz[.]jave[.]xyz/[.]xm
  • http[:]//xz[.]jave[.]xyz/mr[.]tar
  • http[:]//xz[.]jave[.]xyz[:]22345/[.]xm
  • http[:]//xz[.]jave[.]xyz[:]22345/[.]xm1
  • http[:]//jav[.]jave[.]xyz[:]6001
  • http[:]//8uc1[.]jave[.]xyz[:]1987
  • http[:]//ubt[.]ubtv[.]xyz[:]19880
  • http[:]//8uch[.]jave[.]xyz[:]3478
  • http[:]//8uc2[.]ubtv[.]xyz[:]2987
  • http[:]//xz[.]jave[.]xyz[:]22345
  • http[:]//sys[.]jave[.]xyz[:]1764

Remediation

  • Block the threat indicators at their respective controls.
  • Use unique and strong credentials and implement multi-factor authentication.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.